b'      Department of Homeland Security\n\n\n\n\n         Information Technology Management\n              Letter for the Immigration and\n         Customs Enforcement Component of\n      the FY 2011 DHS Financial Statement Audit\n\n\n\n\nOIG-12-50                                         March 2012\n\n\x0c                                                                                Office of Inspector General\n\n                                                                     U.S. Department of Homeland Security\n                                                                                   Washington, DC 25028\n\n\n\n\n                                         March 14, 2012\n\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe Department.\n\nThis report presents the information technology (IT) management letter for the Immigration and\nCustom Enforcement (ICE) component of the fiscal year (FY) 2011 DHS consolidated financial\nstatement audit as of September 30, 2011. It contains observations and recommendations related\nto information technology internal control weaknesses that were summarized in the Independent\nAuditors\xe2\x80\x99 Report dated November 11, 2011 and presents the separate restricted distribution\nreport mentioned in that report. The independent accounting firm KPMG LLP (KPMG)\nperformed the audit procedures at the ICE component in support of the DHS FY 2011\nconsolidated financial statement audit and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter and the conclusions expressed in it. We do not\nexpress opinions on DHS\xe2\x80\x99 financial statements or internal control or conclusion on compliance\nwith laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Frank Deffer\n                                     Assistant Inspector General\n                                     Office of Information Technology Audits\n\x0c                                 KPMG LLP\n                                 Suite 12000\n                                 1801 K Street, NW\n                                 Washington, DC 20006\n\n\n\n\nFebruary 16, 2012\n\n\nInspector General\nU.S. Department of Homeland Security\n\n\nChief Information Officer and\nChief Financial Officer\nU.S. Immigration and Customs Enforcement\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2011 and the related statement of custodial activity for the year then\nended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2011 financial statements\xe2\x80\x9d). The objective of our\naudit was to express an opinion on the fair presentation of these financial statements. We were also\nengaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the balance sheet as\nof September 30, 2011, and statement of custodial activity for the year then ended, based on the\ncriteria established in Office of Management and Budget, Circular No. A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control, Appendix A. In connection with our audit, we also considered\nDHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations, contracts, and grant\nagreements that could have a direct and material effect on the FY 2011 financial statements.\nOur Independent Auditors\xe2\x80\x99 Report issued on November 11, 2011, describes a limitation on the scope of\nour audit that prevented us from performing all procedures necessary to express an unqualified opinion\non DHS\xe2\x80\x99 FY 2011 financial statements and internal control over financial reporting. In addition, the\nFY 2011 DHS Secretary\xe2\x80\x99s Assurance Statement states that the Department was unable to provide\nassurance that internal control over financial reporting was operating effectively at September 30,\n2011.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control such that there is a reasonable possibility that a material\nmisstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a\ntimely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal\ncontrol that is less severe than a material weakness, yet important enough to merit attention by those\ncharged with governance. In accordance with Government Auditing Standards, our Independent\nAuditors\xe2\x80\x99 Report, dated November 11, 2011, included internal control deficiencies identified during\nour audit, that individually, or in aggregate, represented a material weakness or a significant\ndeficiency. This letter represents the separate limited distribution report mentioned in that report.\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems general Information Technology (IT) controls which we believe contribute to a\nDHS-level significant deficiency that is considered a material weakness in IT controls and financial\nsystem functionality. We also noted that in some cases, financial system functionality is inhibiting\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cDHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications controls supporting\nfinancial data processing and reporting. These matters are described in the General IT Control\nFindings and Recommendations section of this letter.\nAlthough not considered to be a material weakness, we also noted certain other items during our audit\nengagement which we would like to bring to your attention. These matters are also described in the\nGeneral IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand are intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you.\nWe have not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems within the scope of the FY 2011 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and the\ncurrent status of the prior year NFRs in Appendix C. Our comments related to financial management\nand reporting internal controls (comments not related to IT) have been presented in a separate letter to\nthe Office of Inspector General and the DHS Chief Financial Officer.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. Office of Management and Budget (OMB), U.S. Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be used\nby anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                                   Department of Homeland Security\n\n                                Immigration and Customs Enforcement\n\n                               Information Technology Management Letter\n                                          September 30, 2011\n\n\n\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                          TABLE OF CONTENTS\n                                                                                                        Page\n\nObjective, Scope, and Approach                                                                           1\n\n\n\n\nSummary of Findings and Recommendations                                                                  2\n\n\n\n\nGeneral IT Control Findings and Recommendations\n\n   Configuration Management                                                                              3\n\n\n   Access Control                                                                                        3\n\n\n   Security Management                                                                                   3\n\n\n       After-Hours Physical Security Testing                                                             3\n\n\n       Social Engineering Testing                                                                        4\n\n\n    Segregation of Duties                                                                                4\n\n\nApplication Controls                                                                                     5\n\n\n\n\n                                                APPENDICES\n\nAppendix    Subject                                                                                     Page\n\n   A        Description of Key ICE Financial Systems and IT Infrastructure within the Scope of the FY    6\n\n            2011 DHS Financial Statement Audit\n\n   B        FY 2011 Notices of IT Findings and Recommendations at ICE                                    8\n\n                \xef\xbf\xbd     Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings            9\n\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to Current       11\n\n            Year Notices of Findings and Recommendations at ICE\n\n   D        Report Distribution                                                                          13\n\n\n\n\n\n                           Information Technology Management Letter for the\n                           Immigration and Customs Enforcement Component\n                              of the FY 2011 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                              Immigration and Customs Enforcement\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our audit of DHS\xe2\x80\x99 balance sheet as of September 30, 2011 and the related statement of\ncustodial activity for the year then ended, we performed an evaluation of the general information\ntechnology general controls (GITC) at ICE, to assist in planning and performing our audit. The Federal\nInformation System Controls Audit Manual (FISCAM), issued by the GAO, formed the basis of our GITC\nevaluation procedures. The scope of the GITC evaluation is further described in Appendix A.\nThe FISCAM, issued by GAO, formed the basis of our GITC evaluation procedures. The scope of the\nGITC evaluation is further described in Appendix A. FISCAM was designed to inform financial auditors\nabout IT controls and related audit concerns to assist them in planning their audit work and to integrate\nthe work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT\nauditors when considering the scope and extent of review that generally should be performed when\nevaluating general controls and the IT environment of a federal agency. FISCAM defines the following\nfive control functions to be essential to the effective operation of the general IT controls environment.\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our GITC audit procedures, we also performed technical security testing for key network\nand system devices, as well as testing over key financial application controls in the ICE environment.\nThe technical security testing was performed both over the Internet and from within select ICE facilities,\nand focused on test, development, and production devices that directly support key general support\nsystems.\n\n\n\n\n                         Information Technology Management Letter for the\n                         Immigration and Customs Enforcement Component\n                            of the FY 2011 DHS Financial Statement Audit\n                                              Page 1\n\x0c                                 Department of Homeland Security\n\n                              Immigration and Customs Enforcement\n\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2011, ICE took corrective action to address some prior year IT control weaknesses. For\nexample, ICE made improvements over mandatory training for IT security personnel, and Federal\nFinancial Management Systems (FFMS) password configurations. However, during FY 2011, we\ncontinued to identify IT general control weaknesses that could potentially impact ICE\xe2\x80\x99s financial data.\nThe most significant findings from a financial statement audit perspective were related to the FFMS\nconfiguration and patch management, and weaknesses over physical security and security awareness.\nCollectively, the IT control deficiencies limited ICE\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these control deficiencies negatively impacted the internal controls over ICE financial reporting\nand its operation and we consider them to contribute to a material weakness at the Department level under\nstandards established by the American Institute of Certified Public Accountants. In addition, based upon\nthe results of our test work, we noted that ICE contributes to the DHS\xe2\x80\x99 non-compliance with the\nrequirements of the Federal Financial Management Improvement Act.\nOf the 11 findings identified during our FY 2011 testing; only 2 were new IT findings. These findings\nrepresent control deficiencies in four of the five FISCAM key control areas: configuration management,\naccess controls, security management, and segregation of duties. Specifically, these control deficiencies\ninclude: 1) inadequately designed and operating configuration management, 2) lack of effective\nsegregation of duties controls within a financial application, 3) lack of FFMS patch management, and 4)\nweak FFMS account management. These control deficiencies may increase the risk that the\nconfidentiality, integrity, and availability of system controls and ICE financial data could be exploited\nthereby compromising the integrity of financial data used by management as reported in DHS\xe2\x80\x99\nconsolidated financial statements. While the recommendations made by KPMG should be considered by\nICE, it is the ultimate responsibility of ICE management to determine the most appropriate method(s) for\naddressing the weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                         Information Technology Management Letter for the\n                         Immigration and Customs Enforcement Component\n                            of the FY 2011 DHS Financial Statement Audit\n                                              Page 2\n\x0c                                    Department of Homeland Security\n\n                                 Immigration and Customs Enforcement\n\n                                Information Technology Management Letter\n                                           September 30, 2011\n\n\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2011 DHS Financial Statement Audit, we identified the following ICE IT and financial\nsystem control deficiencies that in the aggregate contribute to the material weakness at the Department\nlevel.\n\nConfiguration Management\n\xef\xbf\xbd\t Security configuration management control deficiencies exist on the Active Directory Exchange\n   (ADEX). These control deficiencies included default installation and configuration settings on the\n   Cisco routers.\n\xef\xbf\xbd\t Security configuration management over FFMS included:\n   - Network servers were installed with default configuration settings and protocols.\n   - Mainframe production databases were installed and configured without baseline security\n       configurations.\n\n   - Servers and workstations have inadequate patch management.\n\n\nAccess Control\n\xef\xbf\xbd\t A lack of recertification of FFMS system users.\n\xef\xbf\xbd\t ADEX system access was not consistently removed for terminated employees and contractors.\n\nSecurity Management\n\xef\xbf\xbd\t Procedures for transferred and terminated personnel exit processing have not been reviewed,\n   implemented, nor authorized by ICE management.\n\nAfter-Hours Physical Security Testing:\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects included physical access to media and equipment that\nhoused financial data and information residing within an ICE employee\xe2\x80\x99s or contractor\xe2\x80\x99s work area,\nwhich could be used by others to gain unauthorized access to systems housing financial information. The\ntesting was performed at various ICE locations that process and/or maintain financial data. The specific\nresults are listed as shown in the following table:\n\n                                      Total Exceptions by Type                             Total\n                                    OCIO/OFM        OCIO PCN 3rd    OCFO PCN 4th       Exceptions by\n                                    TechWorld            floor         floor               Type\n          Exceptions Noted           10th floor\n      User Name and                      5                 3               1                 9\n      Passwords\n      Keys/Badges                        2                0                1                3\n      Personally Identifiable            7                3                2                12\n\n                          Information Technology Management Letter for the\n                          Immigration and Customs Enforcement Component\n                             of the FY 2011 DHS Financial Statement Audit\n                                               Page 3\n\x0c                                  Department of Homeland Security\n\n                               Immigration and Customs Enforcement\n\n                              Information Technology Management Letter\n                                         September 30, 2011\n\n\n     Information (PII)\n     Server Names/IP                    0                5                0                5\n     Addresses\n     Laptops                           6                1                6                 13\n     External Drives                   0                3                0                  3\n     Credit Cards                      1                0                1                  2\n     Air Card                          1                0                0                  1\n     FOUO                              8                6                3                 17\n     Total Exceptions by               30               21               14                65\n     Location\n\nIn addition, a KPMG team member was able to access the Techworld facility using their KPMG badge,\nwhich is not assigned nor recognized by any of the agencies within the Techworld facility.\nSocial Engineering Testing:\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing\n/enabling computer system access. The term typically applies to deception for the purpose of information\ngathering, or gaining computer system access, as shown in the following table:\n        Total         Total        Number of people who provided a username and/or password\n        Called       Answered\n         36             25         1 \xe2\x80\x93 Both User Name and Password\n\nSegregation of Duties\n\xef\xbf\xbd\t FFMS roles and responsibilities for the Funds Certification Official and Approving Official profiles\n   were not effectively segregated.\n\nRecommendations:\nWe recommend that the ICE Chief Information Officer and Chief Financial Officer, in coordination with\nthe DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer, make the\nfollowing improvements to ICE\xe2\x80\x99s financial management systems and associated information technology\nsecurity program.\n\nFor Configuration Management\n\xef\xbf\xbd\t Implement an immediate and long term remediation strategy to resolve the ADEX authentication\n   weaknesses. In addition, configuration management procedures and templates should be reviewed\n   and modified as appropriate.\n\xef\xbf\xbd\t Examine the default configuration installations and system services installed on FFMS network\n   devices and remove unnecessary system services.\n\xef\xbf\xbd\t Ensure that password configuration settings are properly and effectively applied.\n\xef\xbf\xbd\t Assess the patch deployment and testing processes and develop a process for patching applications\n   across the enterprise.\n\xef\xbf\xbd\t Implement appropriate FFMS database and network server patches and configuration baseline\n   parameters consistent with DHS guidelines.\n\n                         Information Technology Management Letter for the\n                         Immigration and Customs Enforcement Component\n                            of the FY 2011 DHS Financial Statement Audit\n                                              Page 4\n\x0c                                Department of Homeland Security\n\n                             Immigration and Customs Enforcement\n\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n\n\n\nFor Access Controls\n\xef\xbf\xbd\t Enforce the existing policies and procedures to recertify FFMS user privileges at the end of each\n   calendar year.\n\xef\xbf\xbd\t Ensure implementation of the ICE Exit Clearance Directive which will establish the process for\n   separating employees, both Federal and contractors, and formalize a process to ensure that separating\n   employees have their access to all ICE information technology systems removed.\n\nFor Security Management\n\xef\xbf\xbd\t Complete the implementation of the policy which governs the exit clearance process and identifies the\n   procedures that separating employees and contractors must take to ensure the return and\\or\n   safeguarding of government property, equipment, and systems; and the roles and responsibilities of\n   ICE offices involved in the exit clearance process.\n\xef\xbf\xbd\t Continue prioritizing security awareness and social engineering risks in the Annual Information\n   Assurance Awareness Training.\n\nFor Segregation of Duties\n\xef\xbf\xbd\t Enforce policies and procedures to ensure that assigned roles and responsibilities are commensurate\n   with personnel job functions.\n\n                                   APPLICATION CONTROLS\nAs a result of the control deficiencies noted above in the Information Technology General Controls,\nmanual compensating controls were tested in place of application controls.\n\n\n\n\n                         Information Technology Management Letter for the\n                         Immigration and Customs Enforcement Component\n                            of the FY 2011 DHS Financial Statement Audit\n                                              Page 5\n\x0c                                                                Appendix A\n                    Department of Homeland Security\n\n                 Immigration and Customs Enforcement\n\n                Information Technology Management Letter\n                           September 30, 2011\n\n\n\n\n                            Appendix A\n\n\nDescription of Key ICE Financial Systems and IT Infrastructure\nwithin the Scope of the FY 2011 DHS Financial Statement Audit\n\n\n\n\n             Information Technology Management Letter for the\n             Immigration and Customs Enforcement Component\n                of the FY 2011 DHS Financial Statement Audit\n                                  Page 6\n\x0c                                                                                          Appendix A\n                                Department of Homeland Security\n\n                             Immigration and Customs Enforcement\n\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n\nFederal Financial Management System (FFMS)\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial\nreporting system. It includes the core system used by accountants, FFMS Desktop for users, and a\nNational Finance Center (NFC) payroll interface. FFMS currently interfaces with the following systems:\n\xef\xbf\xbd\t Direct Connect for transmission of DHS payments to the U.S. Treasury\n\xef\xbf\xbd\t Fed Traveler\n\xef\xbf\xbd\t The Biweekly Examination Analysis Reporting and Controlling Accounting Data Inquiry, for the\n   purpose of processing NFC user account and payroll information.\n\xef\xbf\xbd\t The Debt Collection System\n\xef\xbf\xbd\t Bond Management Information System Web\n\nICE Network\nThe ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a major\napplication for ICE and other DHS components, such as the United States Citizenship Immigration\nServices. The ADEX servers and infrastructure for the headquarters and National Capital Area are\nlocated on the third floor of the Potomac Center North Tower in Washington, D.C. ADEX currently\ninterfaces with the Diplomatic Telecommunications Service Program Office ICENet Infrastructure.\n\n\n\n\n                        Information Technology Management Letter for the\n                        Immigration and Customs Enforcement Component\n                           of the FY 2011 DHS Financial Statement Audit\n                                             Page 7\n\x0c                                                               Appendix B\n                   Department of Homeland Security\n\n                Immigration and Customs Enforcement\n\n               Information Technology Management Letter\n                          September 30, 2011\n\n\n\n\n                            Appendix B\n\nFY 2011 Notices of IT Findings and Recommendations at ICE\n\n\n\n\n\n            Information Technology Management Letter for the\n            Immigration and Customs Enforcement Component\n               of the FY 2011 DHS Financial Statement Audit\n                                 Page 8\n\x0c                                                                                            Appendix B\n                                  Department of Homeland Security\n\n                               Immigration and Customs Enforcement\n\n                              Information Technology Management Letter\n                                         September 30, 2011\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDepartment of Homeland Security (DHS) Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant\n\n      3 \xe2\x80\x93 More significant\n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity\nfor consolidated reporting purposes.\n\nThese ratings are provided only to assist the DHS in prioritizing the development of its corrective action\nplans for remediation of the deficiency.\n\n\n\n\n                         Information Technology Management Letter for the\n                         Immigration and Customs Enforcement Component\n                            of the FY 2011 DHS Financial Statement Audit\n                                              Page 9\n\x0c                                                                                                                            Appendix B\n                                                      Department of Homeland Security\n                                                   Immigration and Customs Enforcement\n                                                  Information Technology Management Letter\n                                                             September 30, 2011\n\n                                                                  Notice of Findings\n\n\n\nFY 2011 NFR #                              NFR Title                              FISCAM Control Area       2011 Severity    New Issue   Repeat Issue\n                                                                                                               Rating\n ICE-IT-11-01   ADEX Resource Servers and Workstations have Inadequate           Configuration Management         3             X\n                Patch Management\n ICE-IT-11-02   Terminated/Transferred Personnel are not Removed from                  Access Controls           2                            X\n                ADEX in a Timely Manner\n ICE-IT-11-03   Access Recertification Review is not completed for FFMS                Access Controls           2              X\n ICE-IT-11-04   Weak FFMS Segregation of Duties                                    Segregation of Duties         2                            X\n ICE-IT-11-05   Security Awareness issues were identified during Social            Security Management           3                            X\n                Engineering\n ICE-IT-11-06   FFMS Network and Servers were installed with Default             Configuration Management        3                            X\n                Configuration Settings and Protocols\n ICE-IT-11-07   FFMS Mainframe Production databases were installed and           Configuration Management        3                            X\n                configured without baseline security configurations\n ICE-IT-11-08   FFMS servers have inadequate patch management                    Configuration Management        3                            X\n ICE-IT-11-09   Default installation and configuration of Cisco routers on ICE        Access Controls\\           3                            X\n                Network                                                          Configuration Management\n ICE-IT-11-10   Security Awareness issues identified during After-Hours            Security Management           3                            X\n                Walkthrough\n ICE-IT-11-11   Lack of procedures for transferred/terminated personnel exit       Security Management           2                            X\n                processing\n\n\n\n\n                                              Information Technology Management Letter for the\n                                              Immigration and Customs Enforcement Component\n                                                 of the FY 2011 DHS Financial Statement Audit\n                                                                   Page 10\n\x0c                                                                  Appendix C\n                      Department of Homeland Security\n\n                   Immigration and Customs Enforcement\n\n                  Information Technology Management Letter\n                             September 30, 2011\n\n\n\n\n                              Appendix C\n\n\nStatus of Prior Year Notices of Findings and Recommendations and\n\n                             Comparison to \n\n Current Year Notices of Findings and Recommendations at ICE\n\n\n\n\n\n               Information Technology Management Letter for the\n               Immigration and Customs Enforcement Component\n                  of the FY 2011 DHS Financial Statement Audit\n                                    Page 11\n\x0c                                                                                           Appendix C\n                             Department of Homeland Security\n                          Immigration and Customs Enforcement\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n\n                                                                                      Disposition\n  NFR #                                 Description                             Closed         Repeat\n\nICE-IT-10-01   Procedures for Transferred/Terminated Personnel Exit\n                                                                                                    X\n               Processing are not Followed\nICE-IT-10-02   Ineffective Password Settings in FFMS                              X\nICE-IT-10-03   Formal policy for FFMS Access Recertification is not\n                                                                                  X\n               Documented and Approved\nICE-IT-10-04   Weak FFMS Segregation of Duties                                                      X\nICE-IT-10-05   Audit Log Policies and Procedures are not Documented for\n                                                                                  X\n               FFMS.\nICE-IT-10-06   Terminated/transferred personnel are not removed from ADEX\n               in a timely manner                                                                   X\n\nICE-IT-10-07   Weak Environmental Controls at the OCS Datacenter                  X\nICE-IT-10-08   Weak Environmental Controls at the PCN Computer Room               X\nICE-IT-10-09   Security Awareness Issues Identified during Social Engineering                       X\nICE-IT-10-10   Security Awareness issues Identified during After-Hours\n                                                                                                    X\n               Walkthrough\nICE-IT-10-11   Training for IT Security Personnel is not Mandatory                X\nICE-IT-10-12   Physical Safeguard Weaknesses exist at DHS DC2 Datacenter          X\nICE-IT-10-13   FFMS Network and Servers were Installed with Default\n                                                                                                    X\n               Configuration Settings and Protocols\nICE-IT-10-14   FFMS Mainframe Production databases were Installed and\n                                                                                                    X\n               Configured without Baseline Security Configurations\nICE-IT-10-15   FFMS Servers have Inadequate Patch Management                                        X\nICE-IT-10-16   Default Installation and Configuration of Cisco Routers on ICE\n                                                                                                    X\n               Network\n\n\n\n\n                     Information Technology Management Letter for the\n                     Immigration and Customs Enforcement Component\n                        of the FY 2011 DHS Financial Statement Audit\n                                          Page 12\n\x0c                                                            Appendix D\n         Department of Homeland Security\n      Immigration and Customs Enforcement\n     Information Technology Management Letter\n                September 30, 2010\n\nReport Distribution\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nGeneral Counsel\nChief of Staff\nDeputy Chief of Staff\nExecutive Secretariat\nUnder Secretary, Management\nAssistant Secretary, ICE\nDHS Chief Information Officer\nDHS Chief Financial Officer\nChief Financial Officer, ICE\nChief Information Officer, ICE\nChief Information Security Officer\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nDHS GAO/OIG Audit Liaison\nChief Information Officer, Audit Liaison\nICE Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as\nappropriate\n\n\n\n\n  Information Technology Management Letter for the\n  Immigration and Customs Enforcement Component\n     of the FY 2011 DHS Financial Statement Audit\n                       Page 13\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'